Defining an Enterprise Security Strategy - Page 2

Transaction security works from a dynamic perspective. It attempts to secure each session with five primary activities. They are non-repudiation, integrity, authentication, confidentiality and virus detection. Transaction security ensures that session data is secure before being transported across the enterprise or Internet. This is important when dealing with the Internet, since data is vulnerable to those that would use the valuable information without permission. E-Commerce employs some industry standards such as SET and SSL, which describe a set of protocols that provide non-repudiation, integrity, authentication and confidentiality. Virus detection provides transaction security by examining data files for signs of virus infection before they are transported to an internal user or before they are sent across the Internet. The following describes industry standard transaction security protocols.

Non-Repudiation - RSA Digital Signatures

Integrity - MD5 Route Authentication

Authentication - Digital Certificates

Confidentiality - IPSec/IKE/3DES

Virus Detection - McAfee/Norton Antivirus Software

Monitoring Security

Monitoring network traffic for security attacks, vulnerabilities and unusual events is essential for any security strategy. This assessment identifies what strategies and applications are being employed. The following list describes some typical monitoring solutions.

Intrusion detection sensors are available for monitoring real-time traffic as it arrives at your perimeter. IBM Internet Security Scanner is an excellent vulnerability assessment testing tool that should be considered for your organization.

Syslog server messaging is a standard UNIX program found at many companies that writes security events to a log file for examination. It is important to have audit trails to record network changes and assist with isolating security issues.

Big companies that utilize a lot of analog dial lines for modems sometimes employ dial scanners to determine open lines that could be exploited by security hackers.

Facilities security is typical badge access to equipment and servers that host mission-critical data. Badge access systems record the date/time that each specific employee entered the telecom room and left.

Cameras sometimes record what specific activities were conducted as well.

Intrusion Prevention Sensors (IPS): Cisco markets intrusion prevention sensors (IPS) to enterprise clients for improving the security posture of the company network. Cisco IPS 4200 series utilize sensors at strategic locations on the inside and outside network, protecting switches, routers and servers from hackers. IPS sensors will examine network traffic in real time or inline, comparing packets with pre-defined signatures. If the sensor detects suspicious behavior, it will send an alarm, drop the packet, and take some evasive action to counter the attack. The IPS sensor can be deployed inline IPS, IDS where traffic doesn't flow through device or a hybrid device. Most sensors inside the data center network will be designated IPS mode with its dynamic security features thwarting attacks as soon as they occur. Note that IOS intrusion prevention software is available today with routers as an option.

Vulnerability Assessment Testing (VAST): IBM Internet Security Scanner (ISS) is a vulnerability assessment scanner focused on enterprise customers for assessing network vulnerabilities from an external and internal perspective. The software runs on agents and scans various network devices and servers for known security holes and potential vulnerabilities. The process is comprised of network discovery, data collection, analysis and reports. Data is collected from routers, switches, servers, firewalls, workstations, operating systems and network services. Potential vulnerabilities are verified through non-destructive testing and recommendations made for correcting any security problems. There is a reporting facility available with the scanner that presents the information findings to company staff.

Syslog Server Messaging: Cisco IOS has a UNIX program called Syslog that reports on a variety of device activities and error conditions. Most routers and switches generate Syslog messages, which are sent to a designated UNIX workstation for review. If your Network Management Console (NMS) is using the Windows platform, there are utilities that allow viewing of log files and sending Syslog files between a UNIX and Windows NMS.

Not bad, you missed a lot. With policies you also should have procedures and education/awareness. Incident response is really important to contain and mitigate the impact of an attack. You need defense in depth strategy with both ingress and egress controls. Technical controls are important and knowing who did what and when will help. One other aspect and I have not covered all aspects of a defense in depth strategy is audit and review. Audits give you an in-depth perspective of your controls and if they are working. Reply

Nov 20, 2009 6:11 PMCoby Royer
says:

I have to say that Access Control is the quintessential element of Enterprise Security. Perhaps this could fit into Transaction Security in your taxonomy. Going beyond transaction and network security, the Enterprise Security steward must address WHO is allowed to access WHAT. Not all accesses are transactional�as security professionals we ensure enterprise knowledge assets are protected as well (e.g., maintaining the "Chinese Wall" for investment banking research etc). Access Control technology effects the CONTROLS that ensure adherence to your Security Policy�basically giving teeth to the policies that use verbiage to describe who has access to what. Reply

Please enable Javascript in your browser, before you post the comment! Now Javascript is disabled.

Post a comment

Your name/nickname

Your email

WebSite

Subject

(Maximum characters: 1200). You have 1200 characters left.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.